Our constant dialogue with our clients proves a common IT worry: cybersecurity prevention and protection is a top priority for healthcare practices of all sizes and specialties. Recently published industry statistics support their concern.
In August, HIMSS released the final report of their 2017 Cybersecurity Survey. “The survey provides insight into how healthcare organizations are protecting their information and assets, in light of increasing cyberattacks and compromises affecting the healthcare sector,” HIMSS said.
A key takeaway of this year’s survey is the effort that practices are putting in to cybersecurity prevention. Protecting your practice against cyberattacks requires not one, two or even three security best practices. It requires the implementation of a group of best practices, each serving a different purpose.
As practices navigate the ever-changing cybersecurity landscape, prevention proves to be the most effective way to protect your practice.
As the HIMSS Survey reports, prevention is key and comes in many forms:
Seventy-one percent of survey respondents are allocating budget specifically for cybersecurity. Of that 71 percent, 40 percent are allocating 1-2 percent while 32 percent are allocating 3-6 percent of their IT budget toward cybersecurity programs.
- Information security staffing
For the first time ever, practices are recognizing the true and real risk of cybersecurity and their vulnerability. Eighty percent of respondents indicate their organization employs cybersecurity staff. Research suggests that a security-staff-to-staff ratio of 1:500 is ideal for organizations that are information-centric and have significant exposure to the internet. Still, only 53 percent of survey respondents reported a ratio of 1:500 or higher.
- Information security leadership
Historically, information security has not been a business priority, but that is changing. Sixty percent of organizations report having a senior-level information security leader such as a Chief Information Security Officer (CISO).
- Insider threat management programs
“Three-quarters of respondents (75 percent) indicate that they have some type of insider threat management program at their organization,” HIMSS reports. Insider threats can be characterized as unintentional (such as an employee who accidentally clicks an email) or malicious (such as a disgruntled employee who intentionally leaks private data). Threat management programs likely include creating formal policies, procedures and sanctions.
- Risk assessments
The HIPAA Security Rule requires practices to conduct a security analysis at least once a year. The good news is, 85 percent of practices conduct an analysis at least once a year. The great news: 34 percent conduct the analysis more frequently than once a year.
- Awareness training
Human error remains the number one vulnerability in healthcare practices, as it cannot be automated or policed. The vast majority of survey respondents, 87 percent, conduct staff training at least annually. While this form of staff training is effective in teaching, the ongoing practice and enforcement is still a concern.
- Penetration testing
Penetration testing identifies gaps and vulnerabilities in IT networks. Seventy-five percent of practices conduct penetration testing annually or more frequently. HIMSS reports, “mock phishing exercises of workforce members (or even information security staff) can be conducted to determine how well (or poorly) these individuals perform.”
The cybersecurity landscape is changing incredibly quickly and practices not protecting themselves from cyberthreats are dangerously at risk. Tomorrow’s threats are sneakier, more sophisticated and more pervasive than ever before.
How does your practice protect against cybersecurity threats? Based on these survey results, how does your practice compare?
Click here to read a copy of the full HIMSS report.